Merge pull request #590 from edx/jarv/nginx-ssl

Jarv/nginx ssl

Merge pull request #590 from edx/jarv/nginx-ssl
Jarv/nginx ssl
ef35970b · John Jarvis · bf9857d9 · e5a500a0 · ef35970b · ef35970b
Commit ef35970b authored Dec 30, 2013 by John Jarvis
6 changed files
--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -83,8 +83,11 @@ EDXAPP_RABBIT_HOSTNAME: 'localhost'
 EDXAPP_XML_MAPPINGS: {}

 EDXAPP_LMS_NGINX_PORT: 18000
+EDXAPP_LMS_SSL_NGINX_PORT: 48000
+
 EDXAPP_LMS_PREVIEW_NGINX_PORT: 18020
 EDXAPP_CMS_NGINX_PORT: 18010
+EDXAPP_CMS_SSL_NGINX_PORT: 48010

 EDXAPP_LANG: 'en_US.UTF-8'
 EDXAPP_TIME_ZONE: 'America/New_York'

--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
@@ -3,6 +3,18 @@
 # Set global htaccess for nginx
 NGINX_HTPASSWD_USER: !!null
 NGINX_HTPASSWD_PASS: !!null
+NGINX_ENABLE_SSL: False
+# Set these to real paths on your
+# filesystem, otherwise nginx will
+# use a self-signed snake-oil cert
+#
+# To use a certificate chain add the contents
+# to your certificate:
+#
+# cat www.example.com.crt bundle.crt > www.example.com.chained.crt
+
+NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
+NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'

 nginx_app_dir: "{{ COMMON_APP_DIR }}/nginx"
 nginx_data_dir: "{{ COMMON_DATA_DIR }}/nginx"

--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -75,6 +75,21 @@
    path={{ nginx_log_dir}} state=directory
    owner={{ common_web_user }} group={{ common_web_user }}

+- name: nginx | copy ssl cert
+  copy: >
+    src={{ NGINX_SSL_CERTIFICATE }}
+    dest=/etc/ssl/certs/{{ item|basename }}
+    owner=root group=root mode=0644
+  when: NGINX_ENABLE_SSL and NGINX_SSL_CERTIFICATE != 'ssl-cert-snakeoil.pem'
+
+- name: nginx | copy ssl key
+  copy: >
+    src={{ NGINX_SSL_KEY }}
+    dest=/etc/ssl/private/{{ item|basename }}
+    owner=root group=ssl-cert mode=0640
+  when: NGINX_ENABLE_SSL and NGINX_SSL_KEY != 'ssl-cert-snakeoil.key'
+
+
 # removing default link
 - name: nginx | Removing default nginx config and restart (enabled)
  file: path={{ nginx_sites_enabled_dir }}/default state=absent

--- a/playbooks/roles/nginx/templates/cms.j2
+++ b/playbooks/roles/nginx/templates/cms.j2
@@ -7,7 +7,18 @@ upstream cms-backend {
 server {
  # CMS configuration file for nginx, templated by ansible
      
+  {% if NGINX_ENABLE_SSL %}
+
  listen {{EDXAPP_CMS_NGINX_PORT}};
+  listen {{EDXAPP_CMS_SSL_NGINX_PORT}} ssl;
+
+  ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
+  ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
+
+  {% else %}
+  listen {{EDXAPP_CMS_NGINX_PORT}} default;
+  {% endif %}
+

  server_name studio.*;


--- a/playbooks/roles/nginx/templates/lms.j2
+++ b/playbooks/roles/nginx/templates/lms.j2
@@ -7,7 +7,17 @@ upstream lms-backend {
 server {
  # LMS configuration file for nginx, templated by ansible

+  {% if NGINX_ENABLE_SSL %}
+
+  listen {{EDXAPP_LMS_NGINX_PORT}} default;
+  listen {{EDXAPP_LMS_SSL_NGINX_PORT}} default ssl;
+
+  ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
+  ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
+
+  {% else %}
  listen {{EDXAPP_LMS_NGINX_PORT}} default;
+  {% endif %}

  access_log {{ nginx_log_dir }}/access.log;
  error_log {{ nginx_log_dir }}/error.log error;

--- a/util/jenkins/create-var-file.sh
+++ b/util/jenkins/create-var-file.sh
@@ -3,6 +3,9 @@
 cat << EOF > $extra_vars
 ---
 ansible_ssh_private_key_file: /var/lib/jenkins/${keypair}.pem
+NGINX_ENABLE_SSL: True
+EDXAPP_LMS_SSL_NGINX_PORT: 443
+EDXAPP_CMS_SSL_NGINX_PORT: 443
 EDXAPP_PREVIEW_LMS_BASE: preview.${deploy_host}
 EDXAPP_LMS_BASE: ${deploy_host}
 EDXAPP_LMS_NGINX_PORT: 80